Hi Jean-Michel, Please see comments inline Jean-Michel Combes wrote: > Hi Julien, > > 2008/6/12, Julien Laganier <[EMAIL PROTECTED]>: >> Hello Jean-Michel, >> >> >> On Saturday 07 June 2008, Jean-Michel Combes wrote: >> > Hi, >> > >> > After a quick review, I have one comment and one question: >> > - IMHO, your solution should work too with anycast addresses case >> >> >> It seems so. It also seems it would work to secure NS/NA exchange based >> on certificates rather than CGA. > > Not sure that certs defined in krishnan-cgaext-send-cert-eku are well > adapted for such a use: IMHO, prefix ownership is not the same as > address ownership.
Why not :-)? If the IP address in the certificate is a /128 and the EKU value is "owner" (or some variant of this), these certificates can be used for address ownership. > >> To achieve that it would also be >> necessary to define another EKU (extended key usage) for "Address >> ownership", in addition to "Router" and "Proxy". > > But what is in the cert when you want to use it to proxy NS/NA? An > address or a prefix? The /128 address of the node with eku value of "owner" > >> >> > - How will a ND-Proxy get the certificate authorizing it to act as an >> > ND-Proxy? >> >> >> In the same fashion that a Router gets the certificate authorizing it to >> act as a router. > > May I have details in the case of the MIPv6 scenario? Specially, who > does provide the cert? In very basic terms, the certificate is provided by anyone the MN that the MN trusts. e.g. this could be the mobility service provider. Cheers Suresh _______________________________________________ CGA-EXT mailing list [email protected] https://www.ietf.org/mailman/listinfo/cga-ext
